Try handling wildcards

n1v0lg · n1v0lg · commit 320256681227 · 2025-01-31T12:06:09.000+01:00
diff --git a/server/src/main/java/org/elasticsearch/cluster/metadata/IndexAbstractionResolver.java b/server/src/main/java/org/elasticsearch/cluster/metadata/IndexAbstractionResolver.java
@@ -22,7 +22,7 @@
 import java.util.List;
 import java.util.Set;
 import java.util.function.BiPredicate;
-import java.util.function.Supplier;
+import java.util.function.Function;
 
 public class IndexAbstractionResolver {
 
@@ -32,13 +32,11 @@ public IndexAbstractionResolver(IndexNameExpressionResolver indexNameExpressionR
         this.indexNameExpressionResolver = indexNameExpressionResolver;
     }
 
-    public record IndexNameWithSelector(String index, @Nullable String selector) {}
-
     public List<String> resolveIndexAbstractions(
         Iterable<String> indices,
         IndicesOptions indicesOptions,
         Metadata metadata,
-        Supplier<Set<String>> allAuthorizedAndAvailable,
+        Function<String, Set<String>> allAuthorizedAndAvailable,
         BiPredicate<String, String> isAuthorized,
         boolean includeDataStreams
     ) {
@@ -72,7 +70,7 @@ public List<String> resolveIndexAbstractions(
             if (indicesOptions.expandWildcardExpressions() && Regex.isSimpleMatchPattern(indexAbstraction)) {
                 wildcardSeen = true;
                 Set<String> resolvedIndices = new HashSet<>();
-                for (String authorizedIndex : allAuthorizedAndAvailable.get()) {
+                for (String authorizedIndex : allAuthorizedAndAvailable.apply(selectorString)) {
                     if (Regex.simpleMatch(indexAbstraction, authorizedIndex)
                         && isIndexVisible(
                             indexAbstraction,
diff --git a/server/src/test/java/org/elasticsearch/cluster/metadata/IndexAbstractionResolverTests.java b/server/src/test/java/org/elasticsearch/cluster/metadata/IndexAbstractionResolverTests.java
@@ -240,7 +240,7 @@ private List<String> resolveAbstractions(List<String> expressions, IndicesOption
             expressions,
             indicesOptions,
             metadata,
-            mask,
+            (selector) -> mask.get(),
             (idx, selector) -> true,
             true
         );
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java
@@ -292,6 +292,8 @@ interface AuthorizedIndices {
          */
         Supplier<Set<String>> all();
 
+        Set<String> all(String selector);
+
         /**
          * Checks if an index-like resource name is authorized, for an action by a user. The resource might or might not exist.
          */
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java
@@ -351,7 +351,7 @@ ResolvedIndices resolveIndicesAndAliases(
                     split.getLocal(),
                     indicesOptions,
                     metadata,
-                    authorizedIndices.all(),
+                    authorizedIndices::all,
                     authorizedIndices::check,
                     indicesRequest.includeDataStreams()
                 );
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java
@@ -39,8 +39,8 @@
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.regex.Regex;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.util.CachedSupplier;
 import org.elasticsearch.common.util.set.Sets;
+import org.elasticsearch.core.Nullable;
 import org.elasticsearch.index.Index;
 import org.elasticsearch.index.shard.ShardId;
 import org.elasticsearch.transport.TransportActionProxy;
@@ -108,6 +108,7 @@
 import java.util.TreeSet;
 import java.util.function.BiPredicate;
 import java.util.function.Consumer;
+import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
 import java.util.stream.Collectors;
@@ -870,13 +871,13 @@ static AuthorizedIndices resolveAuthorizedIndicesFromRole(
         TransportRequest request = requestInfo.getRequest();
         final boolean includeDataStreams = (request instanceof IndicesRequest) && ((IndicesRequest) request).includeDataStreams();
         // TODO need a function not a supplier
-        return new AuthorizedIndices(() -> {
+        return new AuthorizedIndices((selector) -> {
             Consumer<Collection<String>> timeChecker = timerSupplier.get();
             Set<String> indicesAndAliases = new HashSet<>();
             // TODO: can this be done smarter? I think there are usually more indices/aliases in the cluster then indices defined a roles?
             if (includeDataStreams) {
                 for (IndexAbstraction indexAbstraction : lookup.values()) {
-                    if (predicate.test(indexAbstraction)) {
+                    if (predicate.test(indexAbstraction, selector)) {
                         indicesAndAliases.add(indexAbstraction.getName());
                         if (indexAbstraction.getType() == IndexAbstraction.Type.DATA_STREAM) {
                             // add data stream and its backing indices for any authorized data streams
@@ -1037,17 +1038,26 @@ private static boolean isAsyncRelatedAction(String action) {
 
     static final class AuthorizedIndices implements AuthorizationEngine.AuthorizedIndices {
 
-        private final CachedSupplier<Set<String>> allAuthorizedAndAvailableSupplier;
+        // TODO results need to be cached
+        private final Function<String, Set<String>> allAuthorizedAndAvailableBySelector;
         private final BiPredicate<String, String> isAuthorizedPredicate;
 
-        AuthorizedIndices(Supplier<Set<String>> allAuthorizedAndAvailableSupplier, BiPredicate<String, String> isAuthorizedPredicate) {
-            this.allAuthorizedAndAvailableSupplier = CachedSupplier.wrap(allAuthorizedAndAvailableSupplier);
+        AuthorizedIndices(
+            Function<String, Set<String>> allAuthorizedAndAvailableBySelector,
+            BiPredicate<String, String> isAuthorizedPredicate
+        ) {
+            this.allAuthorizedAndAvailableBySelector = allAuthorizedAndAvailableBySelector;
             this.isAuthorizedPredicate = Objects.requireNonNull(isAuthorizedPredicate);
         }
 
         @Override
         public Supplier<Set<String>> all() {
-            return allAuthorizedAndAvailableSupplier;
+            return () -> all(null);
+        }
+
+        @Override
+        public Set<String> all(@Nullable String selector) {
+            return allAuthorizedAndAvailableBySelector.apply(selector);
         }
 
         @Override
